Cisco IOS Release 12.0(25)SX4

These release notes provide information about Cisco IOS software Release 12.0(25)SX4 for the Cisco 10000 series router. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.

Cisco IOS Release 12.0(25)SX4 is based on Cisco IOS Release 12.0(25)S. The Cisco 10000 router supports a subset of the new features in Cisco IOS Release 12.0(25)S. For more information, see the "New Features—Cisco IOS Release 12.0(25)S" section. This section lists the features supported on the Cisco 10000 router.

To view the release notes for the following Cisco IOS software releases, go to the following URLs:

Cisco Security Advisory

Cisco routers and switches that are running Cisco IOS software and that are configured to process Internet Protocol Version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device might cause the input interface to stop processing traffic when the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices that are running only IP Version 6 (IPv6) are not affected. A workaround is available.

System Requirements

This release requires that you have the performance routing engine (PRE), part number ESR-PRE1 installed in the Cisco 10000 router chassis. To verify which PRE is installed in the router, use the show version command.

Memory Requirements


Feature Set by Router	Image Name	Flash Memory	DRAM Memory	Runs From
Router	c10k-p10-mz	40 MB	512 MB	RAM
Service Provider/ Secured Shell 3DES	c10k-k4p10-mz	40 MB	512 MB	RAM

Upgrading to a New Software Release

Upgrading from Earlier Cisco IOS Releases

Upgrading from Cisco IOS Release 12.0(14)SL or from Earlier Releases Based on Cisco IOS Release 12.0(x)SL

If you are upgrading your software from Cisco IOS Release 12.0(14)SL or from earlier releases based on Cisco IOS Release 12.0(x)SL to Cisco IOS Release 12.0(25)SX4, save your current configuration file. If you decide to reinstall Cisco IOS Release 12.0(14)SL or an earlier release, you must also reinstall the configuration file associated with that release because some Border Gateway Protocol (BGP) configuration file entries in Cisco IOS Release 12.0(25)SX4 are not compatible with Cisco IOS Release 12.0(14)SL or earlier releases.

Upgrading Software on Redundant PREs

The procedure included in the "Upgrading Software on Redundant PREs" section instructs you to tell the Cisco 10000 router the location in which the new boot image resides. Be sure to specify c10k-p10-mz instead of the c10k-p6-mz image name indicated in the documentation.

New Features—Cisco IOS Release 12.0(25)SX4

Cisco IOS Release 12.0(25)SX4 contains no new features, but includes all of the new features and performance enhancements introduced in Cisco IOS Release 12.0(25)SX1 and Cisco IOS Release 12.0(25)SX, which is based on Cisco IOS Release 12.0(25)S.

New Features—Cisco IOS Release 12.0(25)SX1

Cisco IOS Release 12.0(25)SX1 provides the following performance enhancements, but contains no new features.

This release improves the performance of the VTMS Link Utilization feature. The default queue size is based on link bandwidth instead of queue bandwidth as in previous releases.

The QA Error Recovery feature enables the router to recover quickly from problems known as QAERRORs, which can be caused by hardware or software issues. When a QAERROR occurs, the router might stop responding while it tries to recover from the problem. QA error recovery reduces the router down time to as little as one second. Previously, a fully loaded router might be down for up to five minutes (300 seconds).

The QA error recovery feature is enabled by default. To disable the feature, issue the following command:

When QA error recovery is successful, the router displays a console message indicating success. In addition, the show controllers cbus command indicates the number of QAERROR recoveries.

The following sample console messages show an occurrence of a QAERROR and the router's recovery from the error. The router might display additional messages during error recovery (which can help service technicians diagnose the cause of the problem).

The following example shows QA error recovery information in show controllers cbus command output:

New Features—Cisco IOS Release 12.0(25)SX

Cisco IOS Release 12.0(25)SX introduces support on the Cisco 10000 series router for the following features:

The Policy-Map Scaling feature increases the system-wide number of quality of service (QoS) policy maps that you can configure. In Cisco IOS Release 12.0(25)SX, the Cisco 10000 router supports up to 4,096 policy maps. Each policy-map command counts as one policy map. The policy-map command syntax is unchanged. The maximum number of classes that you can configure in a policy is 32 classes.

The Percent-Based Policing feature enables you to specify the police rate as a percentage of the bandwidth of the network interface on which policing is applied. To specify the police rate as a percentage, use the percent percent option of the police command:

The percent argument is a value from 1 to 100 and is required when you use the percent keyword.

When you use a percent-based police command within a nested policy, the police percent is based on the policy's topmost, class-default, shape rate. Otherwise, the police percent is based on the bandwidth of the network interface on which the police command is applied.

The Random Early Detection (RED) with Queue-Limit feature expands your ability to customize the size of a RED queue. In Cisco IOS Release 12.0(25)SX, you can simultaneously use the queue-limit and random-detect commands in the same class of a policy.

The Enhanced RED Statistics feature maintains RED drop statistics for each IP precedence or differentiated services code point (DSCP) value.

Note

In releases earlier than Cisco 12.0(25)SX, RED drop counts were maintained only for each class.

The 3-Level Policies feature increases the hierarchical levels of a nested QoS policy from two to three levels. A 3-level policy is typically used to define the transmission capacity of a virtual circuit in the top level, class-based queuing at the middle level, and marking or metering in the bottom level.

The service-policy command configured inside a policy map is used to define a hierarchical policy. The syntax of the command is unchanged. You can use the service-policy command in the top and middle levels of a 3-level policy.

The Virtual Circuit (VC) Oversubscription feature enables service providers to improve network utilization of otherwise underutilized shared networks by leveraging statistical multiplexing on ATM, Frame Relay, and IEEE 802.1Q networks. Instead of supporting only unconditional reservation of network bandwidth to VCs, the Cisco 10000 router offers VC oversubscription to statistically guarantee bandwidth to VCs.

To configure VC oversubscription for Frame Relay and IEEE 802.1Q, use the service-policy command. You can optionally use the service-policy class configuration command, creating a nested policy to manage traffic within a virtual circuit. For this reason, the term Nested Policy-Map Oversubscription is sometimes used to refer to VC Oversubscription.

To enable oversubscription of ATM VCs, you must configure the following interface configuration command in service-internal mode:

Note

You do not need to use the service-policy command to specify the ATM VC oversubscription, because a variable bit rate (VBR) ATM VC uses sustained cell rate (SCR) to define the VC's average transmission rate.

The External Border Gateway Protocol (EBGP) Label Distribution feature enables you to configure a carrier supporting carrier network that uses BGP to distribute routes and MPLS labels between the provider edge (PE) and customer edge (CE) routers of a backbone carrier and a customer carrier. The backbone carrier offers BGP and MPLS VPN services. The customer carrier can be one of the following:

For information on how to use BGP to distribute MPLS labels and routes for both types of customer carrier, refer to the MPLS VPN Carrier Supporting Carrier—IPv4 BGP Label Distribution, Release 12.0(21)ST feature module and the Inter-Autonomous Systems for MPLS VPNs, Release 12.1(5)T feature module.

New Features—Cisco IOS Release 12.0(25)S

The following is a brief list of the new features in Cisco IOS Release 12.0(25)S on which Cisco IOS Release 12.0(25)SX is based. Only new features that are supported by the Cisco 10000 router are listed here. New features for other platforms (such as the Cisco 12000 series router) are not listed.

Introduced on the Cisco 10000 router in Cisco IOS Release 12.0(23)SX, the Link Fragmentation and Interleaving (LFI) feature reduces delay and jitter on slower-speed links by breaking up large datagrams and interleaving low-delay traffic packets (such as voice) with the smaller packets resulting from the fragmented datagram. The feature supports Frame Relay (FRF.12) end-to-end and Multilink PPP (MLPPP).

Introduced on the Cisco 10000 router in Cisco IOS Release 12.0(23)SX, the single rate 3-Color Marker feature meters an IP packet stream and marks its packets different colors, based on the Committed Information Rate (CIR) and two associated burst sizes: Committed Burst Size (CBS) and Excess Burst Size (EBS). This feature is useful, for example, for ingress policing of a service, where service eligibility is determined only by the burst's length, and not its peak rate.

The Multicast for Multiprotocol Label-Switching (MPLS)/Virtual Private Network (VPN) feature enables service providers to offer multicast services over their MPLS core network. This feature was introduced on the Cisco 10000 router in Cisco IOS Release 12.0(23)SX.

This feature enables you to limit the number of routes that can be redistributed into the Open Shortest Path First (OSPF) protocol. The feature helps to eliminate the potential for flooding that might occur when a large number of routes are accidentally redistributed into OSPF.

This feature enables you to limit the number of routes that can be redistributed into the Intermediate System-to-Intermediate System (IS-IS) protocol. This feature helps to eliminate the potential for flooding that might occur when a large number of routes are accidentally redistributed into IS-IS.

This feature enables you to slow down the rate at which the Open Shortest Path First (OSPF) protocol sends Link State Advertisement (LSA) updates during periods of network instability. This feature uses a back-off algorithm to perform the LSA throttling.

Limitations and Restrictions

The following limitations and restrictions apply to the Cisco 10000 router 3-Level Policies feature:

•

A top-level policy must specify only the class named class-default with only the shape command specified before the service-policy command attaches an inner policy.

•

In an inner policy, to attach a service-policy command to a class's bottommost policy, do not configure the police and set commands for the class. Classes without a service-policy command configured are not restricted from using the police and set commands.

•

In a bottommost policy, configure only the police and set commands for a class.

•

Define each bottommost class map to match only those packets that also match its parent class map. For example, the union of the set of packets of a bottommost class and that of its parent class must be equal to the set of packets that match the parent class.

•

The nested-policy shape rate is reserved for nested-policy traffic only. Excess bandwidth is not used for other traffic.

Note

The actual shape rate applied to nested-policy traffic might differ from that specified in the policy. For example, a specified shape rate of 10.5 Mbps might be mapped to 11 Mbps. Use the command show policy-map interface to determine the actual shape rate.

Open Caveats—Cisco IOS Release 12.0(25)SX4

Table 1 Open Caveats in Cisco IOS Release 12.0(25)SX4
Caveat	Description
CSCea42432	(Duplicate of CSCea52307) If you delete a service policy from an ATM interface, a traceback message or error message may appear. Workaround: None.
CSCea74742	Policing conformed packets might be less than expected when the normal burst size is set to less than two times the packet size. Workaround: Change the normal burst size to a value larger than 2 times the police frame size.
CSCea93642	When a large number of policy maps are configured on the Cisco 10000 router, it could take more time than expected before all the policy maps activate. Before an interface's policy map activates, the traffic on the interface receives default treatment. The router compiles a super access control list (ACL) for each policy map configured. On an average, the compilation of one super ACL takes approximately one-half second. When a large number of policy maps are configured, the router requires more time to compile all of the super ACLs. Workaround: Wait approximately 0.65 seconds for each policy-map to become operational. For more than one policy map, wait (N * 0.65) seconds for all the policy maps to become operational (where N is the number of policy maps).
CSCeb02953	When traffic is sent through an ATM subinterface to which a QoS service policy is attached, the packet count of the output queue obtained by using the show policy-map interface command does not match the packet output count obtained by using the show interface atm-subinterface command. Workaround: To obtain the correct packet output count, use the show policy-map interface command. Do not use the show interface atm-subinterface command to obtain packet output counts for ATM subinterfaces.
CSCeb27728	When microcode is reloading and traffic is running over the interface, the interface output packet and byte counters display incorrect values. Workaround: Clear the counters.
CSCeb38728	Under extremely rare circumstances, when you remove a 3-level policy map attached to 4,000 VLAN interfaces, the Cisco 10000 router stops responding. Workaround: None.

Resolved Caveats—Cisco IOS Release 12.0(25)SX4

This section describes caveats that were fixed in Cisco IOS Release 12.0(25)SX4.

For information about caveats fixed in other Cisco IOS releases, refer to the appropriate Release Note document at the following URL:

Previously, when a system contained a large number of interfaces and each interface was configured with multiple policy maps, sometimes the CPU stopped responding.

Previously, when weighted random early detection (WRED) was configured in a policy map for class-based weighted fair queuing (CBWFQ), drop statistics were not provided per IP precedence or per differentiated services code point (DSCP) in the class-based queue.

Previously, when more than three queues (in addition to the priority queue) were configured on an interface, priority queue latency could exceed the priority queue latency threshold. This threshold is the amount of time to transmit two packets of the size specified by the MTU (maximum transmission unit) plus 6 milliseconds.

Previously, when you issued the write memory command, and then issued the erase nvram: command before the write memory command completed, the erase nvram: command erased the startup configuration. The erase nvram: command should not have executed before the write memory command completed.

Previously, when more than 256 route map policies or more than 32 route maps (sequence numbers) were configured for any one policy-based routing (PBR) route map policy, the system ignored excess route map policies or route maps (correct behavior). Additionally, an error message and a traceback message appeared similar to the following:

A traceback message should not have appeared, and the informational message should have indicated that the PBR limits for route map policies or route maps per policy were exceeded.

Previously, when weighted random early detection (WRED) was enabled and traffic on the interfaces was overloaded, a one-time parallel express forwarding (PXF) buffer leak occurred for a small fraction of the total number of available buffers. This did not have a visible effect on the operation of the Cisco 10000 router.

Previously, some interfaces did not appear in the IF-MIB. This condition occurred when a system was in Stateful Switchover (SSO) mode, and was then configured to change the redundancy mode to Route Processor Redundancy Plus (RPR+). The standby Performance Routing Engine (PRE) restarted. If new interfaces were added to the system at this point and the primary PRE was not reloaded, the new interfaces sometimes did not appear in the IF-MIB.

Previously, when you issued the shutdown command or the no shutdown command on an ATM subinterface, a traceback message might appear similar to the following:

•

The ATM interface was in a "down/down" state and a permanent virtual circuit (PVC) was configured on the ATM subinterface.

•

The ATM interface was in an "initializing/down" state, a PVC was configured on the ATM subinterface, and the line card was not present in the system.

This caveat is a duplicate of CSCed62971. The programming changes that resolved CSCec54090 also resolved CSCed62971. In CSCed62971, the problem was a loss of bandwidth on an ATM interface and the same traceback message as reported for CSCec54090 might appear.

Loss of bandwidth on an ATM interface occurred when the ATM interface was in a "down/down" state, a PVC with variable bit rate-nonreal time (VBR-NRT) traffic management was configured on a point-to-point ATM subinterface, and the shutdown command was issued on the subinterface. Deleting the PVC or deleting the ATM subinterface when the subinterface was in a shutdown state caused a loss of bandwidth on the ATM interface.

Previously, when a multilink PPP (MLP) bundle was deleted, a value was written to an invalid parallel express forwarding (PXF) memory location and that memory location was corrupted. This did not have a visible effect on the operation of the Cisco 10000 router.

Previously, when an ATM subinterface was deleted from a system that contained two performance routing engines (PREs) that were configured for high availability, the secondary PRE might reload. This condition did not affect performance.

Previously, when simultaneous write actions to nonvolatile random-access memory (NVRAM) occurred, the last checksum stored for NVRAM was incorrect. When the file system detected that the checksum for NVRAM was invalid, it assumed that all NVRAM data was invalid and NVRAM was reinitialized.

Previously, after a permanent virtual circuit (PVC) was configured or deleted on an ATM interface, multicast traffic over the ATM interface did not resume.

Previously, when large numbers of HDLC, abort, or cyclic redundancy check (CRC) errors were reported on multiple E1 ports on an E1/T1 line card, a random number of channels might go down. The channel failures could affect any port and could cause some packets to be dropped.

Previously, when percent-based policing was configured and burst parameters were specified in milliseconds, the burst parameters were calculated based on the bandwidth of the network interface. The burst parameters should have been calculated based on the committed information rate (CIR).

Previously, when low latency queuing (LLQ) was configured, queuing occurred on the real-time queue.

Previously, when Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) tunnels were configured and the next-hop router was from a third-party vendor, sometimes that router changed the label on the TE tunnel without tearing down the label switch path (LSP). The Cisco router did not program the changed label correctly and traffic stopped flowing through the TE tunnel.

Previously, when the clear counters command was issued on an interface and then the microcode reload pxf command was issued, the output packet counters on the interface might show incorrect totals. The counter values could be very large or zero.

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

Previously, a queue with Link Fragmentation and Interleaving (LFI) configured might drop packets even when the traffic rate to that queue was 25 percent of its available bandwidth. This condition occurred when multiple class queues were configured with different bandwidth ratios on an interface or subinterface and fragmentation was enabled.

Previously, when a system contained an OC-3 line card, sometimes the following message was logged to the console:

Previously, when you removed the frame relay fragment command from a map class on the active route processor, this command might be retained in the configuration of the standby route processor after a switchover occurred.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

Ordering Documentation

•

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:

•

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

•

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

•

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

•

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

•

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

•

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

Table Of Contents

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.0(25)SX4

Contents

Cisco Security Advisory

System Requirements

Memory Requirements

Upgrading to a New Software Release

Upgrading from Earlier Cisco IOS Releases

Upgrading Software on Redundant PREs

New Features—Cisco IOS Release 12.0(25)SX4

New Features—Cisco IOS Release 12.0(25)SX1

New Features—Cisco IOS Release 12.0(25)SX

New Features—Cisco IOS Release 12.0(25)S

Limitations and Restrictions

Open Caveats—Cisco IOS Release 12.0(25)SX4

Resolved Caveats—Cisco IOS Release 12.0(25)SX4

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information

Copyright � 2004 Cisco Systems, Inc. All rights reserved.